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Information Commissioner’s Office 


Audit Committee- minutes 


20 J anuary 2020 

Members: 

Ailsa Beaton (chair) Non-Executive Director 

Jane McCall Non-Executive Director 

Attendees: 

ICO 

Elizabeth Denham Information Commissioner 

Paul Arnold Deputy Chief Executive Officer 

Louise Byers Director of Corporate Affairs and Governance 
Andrew Hubert Director of Resources 


Internal Auditors 
Gary Stewart Mazars 


External Auditors 


Sid Sidhu National Audit Office 

Robert Buysman National Audit Office 

David Eagles BDO 

Imran Arshad BDO 

Secretariat 

Chris Braithwaite Senior Corporate Governance Manager 
Caroline Robinson Corporate Governance Officer 


1. Introductions and apologies 


1.1. Apologies for absence were received from Roger Barlow, 
Joanne Butler, Peter Cudlip and Darren Jones. 


2. Declaration of interests 
2.1 No declarations of interests were made. 
3. Matters arising from the previous meeting 


3.1 The minutes of the previous meeting were approved as an 
accurate record. 


3.2 


3.3 


Chris Braithwaite confirmed that all actions from previous 
meetings have been completed with one exception. The 
report on KPIs will be presented at Management Board on 24 
January rather than Audit Committee. 


Ailsa Beaton mentioned that it is very pleasing to see that the 
actions are progressing appropriately. 


4. Deputy Chief Executive Officer’s update 


4.1 


4.2 


Paul Arnold provided the Committee with an update on 
matters relating to the Committee’s work which were not 
otherwise addressed in the agenda. This included updates on 
the upcoming meetings with new Government officials 
following on from the recent election; Brexit preparations; 
working with other regulators; the constitutional review with 
DCMS; the first fine under GDPR; and updates on fee income. 
He also provided an update on funding the |CO’s litigation 
costs, and thanked Louise Byers for her excellent work in this 
area. 


Ailsa Beaton raised a question about the future of GDPR after 
Brexit. The Committee discussed the various options and the 
work the office is undertaking to inform any discussion. 


5. Risk and opportunity register 


5.1 


5.2 


5.3 


5.4 


Risk Management Policy; Louise Byers presented the policy, 
which was a recommendation highlighted from the risk 
management audit in response to the growth of the 
organisation. The Policy will also be presented to 
Management Board and circulated throughout the senior 
management. Louise Byers confirmed that training for the 
Heads of Department has also been carried out. 


Ailsa Beaton stated that it was very pleasing to see that the 
policy has been developed and that it will go to the Board. 


Jane McCall commented that the policy was really strong 
around culture and embedding in the everyday, however she 
was expecting more actions around horizon scanning. 


Jane McCall asked for further information regarding the 
minimal appetite relating to Information Governance and the 
logic behind that. Louise Byers confirmed that we are 
balancing our own regulatory risk whilst not wanting to 
dampen our own innovation on how we store and use 


5.5 


5.6 


5.7 


5.8 


information. Paul Arnold cited the decision to use Cloud for 
storage of information as a good example of this. 


Ailsa Beaton highlighted the open risk appetite on 
infrastructure and resources and suggested that as this 
includes cyber security it may be preferable to break down 
activities to make clear which parts of the risk area are more 
averse. Louise Byers confirmed that we are open to look at 
new ways of working and delivery. However once at the 
delivery stage, the risk issues may be different. 


Risk & Opportunity Register; Louse Byers asked the 
Committee to consider the recommended changes to the risk 


register following on from the bi-monthly review of Corporate 
Risks and to decide whether they would like to conduct a deep 
dive into one of the risks, as recommended in the risk 
management audit. 


The committee confirmed that they are happy with the 
proposed reduction in the cyber security risk. 


The Committee agreed that a deep dive should be conducted 
into the risk relating to compliance culture (R73), with a 
particular focus on the information disclosure incidents. It 
would be helpful for this to include line-by-line reporting on 
each information disclosure, to allow the Committee to 
consider whether the severity of these was being 
appropriately classified, as well as analysis of the 
understanding of this policy within the organisation. 


Action: Corporate Governance to facilitate the Audit 
Committee conducting a deep dive into R73 
(compliance culture), with a particular focus on 
information disclosure incidents. 


6. Service Excellence Transformation Programme 


6.1 


Paul Arnold updated the Committee on the work carried out 
on the service realignment from last year. Most of the 
planned service alignments have now been completed. The 
outstanding objectives are the ones that affect the most 
members of staff, to form a single Data Protection Complaints 
Service. This includes significant alignment of customer 


6.2 


6.3 


facing technology and staff and should all take place in 
February. 


Paul Arnold confirmed that the Directors involved are getting 
a good picture of efficiencies made as a result of the 
realignment and that a fuller report will be presented to the 
Committee later in the year providing analysis on efficiencies 
and customer satisfaction. 


Ailsa Beaton stated that it is good to see that this is 
progressing well and the Committee looks forward to 
confirmation that it is meeting its objectives. 


Action: Paul Arnold to provide the Committee with a report 
to the October 2020 meeting giving analysis of the impact of 
the service excellence transformation programme on 
efficiencies and customer satisfaction. 


7. Finance 


Capacity and Capability 


7.1 


7.2 


7.3 


Andrew Hubert presented the Capacity and Capability report 
which was requested at the last Audit Committee meeting. 


There are plans to bring in more transactional staff to support 
volumes. Andrew Hubert confirmed that he is happy with the 
capacity and capability of the team with the proposed Finance 
structure and an appropriate finance system. 


It was confirmed that the proposed roles are allocated in the 
budget. However, they will need to go through the business 
case review prior to advertising the roles. 


Management Accounts 


7.4 


7.5 


The November accounts were provided to the Committee due 
to the timing of the meeting. Andrew Hubert provided an 
update on the income fee as it currently stands. The shortfall 
has been reduced to £600,000 by mid-January. 


There will be an overspend on travel and legal costs however 
the agreement with DCMS will help to offset some of the legal 
costs. The overspend on travel is a consequence of 
requirements on the ICO, including flights to Brussels due to 
Brexit. 


7.6 


7.7 


There has been a good turnaround on the fee income work 
which has been carried out. The Companies House project 
will continue into next financial year. 


Changes to accounting standards 


Andrew Hubert highlighted IFRS16 which is coming into place 
this year relating to leases. It was confirmed that we are 
having monthly finance meetings with DCMS and the work is 
on track. 


8. 2019/20 ICO Annual Report 


8.1 


8.2 


Louise Byers presented the proposal for the Annual Report 
and confirmed that we are looking to produce a similar format 
as last year. The first half of the report will be more in line 
with best practice identified by other regulators. 


It was confirmed that a timetable is in place and we have 
already commissioned the content and have arranged 
fortnightly meetings with the main people involved in the 
delivery of the report. 


9. Internal Audit 


9.1 


9.2 


Progress Report; Gary Stewart highlighted that we remain on 
track on audits and there are no concerns about delivery to 
the end of March. 


An initial audit meeting for the audit plan for 2020/21 has 
already taken place. It was agreed that the Audit Committee 
will be given an opportunity for initial feedback on the audit 
plan by email, prior to this being agreed at the April meeting. 


Action: Chris Braithwaite to facilitate an opportunity for the 
Audit Committee to comment on the draft internal audit plan. 


9.3 


9.4 


9.5 


Ailsa Beaton stated that it was a good progress report and it 
was pleasing to see that everything was on track. 


Gary Stewart highlighted the upcoming Mazars Governance 

Forum in May. Ailsa Beaton and Joanne Butler attended the 
December event and found it very helpful. Jane McCall will 

attend the May event. 


Programme & Project Management; Overall adequate 
assurance. Mazars were broadly content that the framework 


9.6 


9.7 


9.8 


was adequate and there are some degrees of maturity within 
the ICO which they don’t see in other organisation. 


Overall there were 5 significant recommendations. The 
Committee discussed the recommendations related to training 
and Louise Byers confirmed that the work currently being 
carried out by Workforce Development on a Project 
Management Network should help with sharing the skills more 
broadly across the organisation, utilising staff skills in a more 
agile way. 


It was flagged that most of the actions from this audit are 
owned by Jo Butler. Louise Byers confirmed that the actions 
are mainly linked to the business planning process which is 
under way and the timescales are deliverable. 


Corporate Governance Audit; adequate assurance. There 
were two significant points relating to Board skills and 
succession planning, ensuring that a gap analysis is carried 
out on Board members which then links into the succession 
planning for new board members. 


10. Outstanding audit recommendations 


10.1 


10.2 


Chris Braithwaite confirmed that there has been good 
progress this quarter with 14 recommendations cleared 
including all outstanding actions from 2018/19 audits. 


Chris Braithwaite updated on the one late recommendation 
relating to the Grants Programme. 


11. External audit 


11.1 


11.2 


11.3 


11.4 


David Eagles introduced Imran Arshad who is taking on the 
role of Audit Manager based at the Manchester office, and 
introduced the external audit plan for 2019/20 


The threshold for materiality has increased however it 
remains within 2% of spend level. 


David Eagles highlighted the two significant risks, 
management override (which is a mandated risk for all 
bodies) and IFRS16 which relates to leases. 


The main areas of Audit Focus will be Brexit uncertainties and 
revenue recognition. 


11.5 


11.6 


Ailsa Beaton confirmed that the audits match with the 
Committee’s expectations. 


The Committee discussed the growth within the organisation. 
Jane McCall commented that this had created a need to 
ensure that new staff were aware and compliant with 
processes. It would be reassuring to ensure that nothing has 
been missed in making sure that the processes are fit for 
purpose in line with the new structure. David Eagles 
confirmed that the skill sets in the Finance team will key and 
they are comfortable with the finance structure. 


The Committee was not aware of any non-compliance issues. 


Elizabeth Denham asked whether BDO is aware of any peer 
organisations that are looking at a carbon audit. It was 
confirmed that it is on the radar of some public bodies. 


Paul Arnold confirmed that there is a piece of work currently 
being carried out within the organisation looking at carbon 
offsetting. We are also liaising with UKRN on this matter. 


Action: BDO to provide examples of best practice with 
regard to carbon offsetting/ reduction. 


12. Progress towards achieving the minimum cyber 
security standards 


12.1 


Paul Arnold presented the tracker showing the work currently 
being carried out on cyber security standards. The seven 
outstanding actions are confirmed as low risk and should all 
be completed by end of February. 


Paul Arnold confirmed that cyber security reports in to the 
Information Risk and Governance Board and it is proposed 
that the Audit Committee will receive a twice yearly 
consolidated report on the work carried out by the IRGB. 


Action: Paul Arnold to provide a report on the work of the 
Information Risk Governance Board to the April Audit 
Committee, and bi-yearly thereafter. 


13. Business Impact Analysis 


13.1 


Louise Byers presented the report. This is a rolling 
programme of work and next steps beyond the impact 
assessment is to look at developing plans for the areas of 
work identified as priority areas. 


13.2 It was confirmed that this is an area that will feature on the 
internal audit plan for next year. 


13.3 Ailsa Beaton felt that this was going in the right direction. 


Louise Byers confirmed that plans are in place to carry out 
business continuity tests. 


14. Fraud, whistleblowing and security 


14.1 Chris Braithwaite presented the report. Additional context 
has been added to this report, providing information on staff 
levels and customer contacts. 


14.2 Ailsa Beaton confirmed that she has received one 
Whistleblowing report for the current quarter. Jane McCall 
will be investigating it. 


15. Single Tender Contract Awards 
There were no single-tender contract awards this quarter. 
16. Any other business 


16.1 Jane McCall commented that the papers were really good, 
especially with the forward planning and increasing maturity 
in the work being carried out. Ailsa Beaton thanked 
everybody involved with producing the papers. 


